[Freeipa-devel] [PATCH] 52 Disallow deletion of global password policy
Jan Cholasta
jcholast at redhat.com
Wed Oct 12 07:28:27 UTC 2011
Dne 11.10.2011 15:19, Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Don't allow "ipa pwpolicy-del global_policy".
>>
>> https://fedorahosted.org/freeipa/ticket/1936
>
> Can you add a unit test case for this? Then ack.
>
>>
>> Questions:
>>
>> Is it possible to disallow deletion of specific objects on LDAP level
>> instead?
>
> Well, that would be ideal in some cases. We'd need to write a plugin to
> intercept changes and have it compare it to a list of "no deletes". You
> can file an RFE if you want, this might be handy to have.
>
>>
>> The default HBAC rule, allow_all, can also be deleted - should it be
>> disallowed too?
>
> This is one we want to be removable. Before we had this the default HBAC
> stance was "nobody can log in" and it was jarring to most folks.
>
> It is possible to install without this rule using the option
> --no_hbac_allow
>
> rob
Unit test added.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-52.1-pwpolicy-del-global.patch
Type: text/x-patch
Size: 2304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111012/9a476d6e/attachment.bin>
More information about the Freeipa-devel
mailing list